CVE Alert: CVE-2025-54403 – Planet – WGR-500
CVE-2025-54403
Multiple OS command injection vulnerabilities exist in the swctrl functionality of Planet WGR-500 v1.3411b190912. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This command injection is related to the `new_password` request parameter.
AI Summary Analysis
Risk verdict
High risk: remote OS command injection on Planet WGR-500 can be triggered over the network with low privileges and no user interaction.
Why this matters
An attacker could execute arbitrary commands on the device, potentially taking full control, exfiltrating data, disrupting operations, or pivoting to adjacent systems. In networked or OT-adjacent deployments, this threatens service availability and safety-critical processes.
Most likely attack path
Exploitation requires network access to the device and targets the swctrl functionality via the new_password parameter. With AV=Network, AC=Low, PR=Low, and UI=None, an unauthenticated attacker can trigger a total impact attack without user interaction, once network access is present. Scope is unchanged, so impact is concentrated on the compromised device but can affect connected components if the device holds critical roles.
Who is most exposed
Common in deployments where WGR-500 devices are reachable on internal networks or exposed remote management interfaces. OT/industrial and infrastructure environments with internet-facing management portals or lax segmentation are particularly at risk.
Detection ideas
- Unusual process creation or shell activity linked to swctrl/new_password handler.
- Network requests to the device containing unusual or crafted payloads targeting the new_password parameter.
- Sudden spikes in command execution events or privileged processes on the device.
- Authentication anomalies or repeated access attempts to management interfaces.
- Unexpected changes in device state following network traffic.
Mitigation and prioritisation
- Apply vendor patch as soon as available; validate in staging before production.
- Minimise exposure: disable or restrict swctrl remote commands; enforce network segmentation and least-privilege access.
- Enforce robust access controls: strong authentication, MFA where possible, and restrict management ports to approved admin networks.
- Monitor and alert: log command execution, network requests to the new_password parameter, and anomalous device reconfigurations; implement IDS/IPS rules where feasible.
- Change-management: plan coordinated patching windows, back up configurations, test regression impact, and update incident response playbooks. If KEV is confirmed or EPSS ≥ 0.5, treat as priority 1. Otherwise, treat as priority 2 pending those signals.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
